How your smart device caused the internet to crash and burn

The most terrifying thing about the most recent cyber attack is that the devices that surround you could be responsible. Your home assistant was so cool until it destroyed Twitter.

On Friday, two massive distributed denial of service attacks (DDoS) hit Dyn, a company that hosts domain name servers that help users connect to websites. Domain name servers (DNS) are the GPS of the internet, when you type an address into your browser it figures out where the website's data is located.

On Friday, they were smashed hard. The DDoS attacks prevented people from accessing numerous large websites and services, including Twitter, Spotify and Paypal, which rely on Dyn's services. Due to the huge amount of DNS affected, much of the internet struggled to work.

DDoS is a simple but effective cyberattack in which millions of machines are told to constantly bombard a specific server with traffic. In this case, the target was Dyn. The network of computers used in these attacks is typically called a botnet, and the devices in the botnet are called zombies.

The terrifying part of these particular attacks? The instructions for launching an attack of this nature could have been obtained online. The other terrifying part? It used millions of internet of things (IoT) devices, which means anything connected to the internet could potentially become a zombie. This means your television, smart watch, home assistant, coffee machine and anything else that is internet connected could have been used as part of the attack.

How did these attacks happen exactly?

Let's take it back a little. In September, security website KrebsOnSecurity was hit with the then-largest DDoS attack. The botnet behind the Krebs attack used a particular malware code, known as Mirai, which scans the internet looking for vulnerable IoT devices that have default settings. As in, you haven't changed your username and password from admin, admin.

Once the malware finds millions of vulnerable devices, it uses these to launch a massive volley of traffic.

According to KrebsOnSecurity, Mirai is one of two malware families that are being used to get armies of zombies together and perform attacks on targets. Brian Krebs of KrebsOnSecurity told Mashable he suspected the two attacks to be linked.

Last week, one month after the Krebs attack, the hackers released the malware's source code publicly on hacking community Hackforums. This theoretically allowed multiple groups of hackers to get their hands on the code and launch DDoS attacks of the scale seen on Friday.

The more things that are connected to the internet make the attack footprint bigger and bigger.

On Friday afternoon, cybersecurity firm Flashpoint confirmed to Mashable its analysis showed the same malware, Mirai, was used in the Dyn attacks — but an entirely different group of devices was used to execute the attacks.

"Flashpoint has observed Mirai attack commands issued against Dyn infrastructure," the company wrote in its analysis. "Analysts are still investigating the potential impact of this activity and it is not yet clear if other botnets are involved."

The firm said that digital video recorders (DVRs) were among the smart devices used in the attack.

Dyn confirmed on Saturday that one of the sources of traffic were devices infected by Mirai. "We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack," Dyn's Chief Strategy Officer Kyle York wrote in a statement.

Justin Fier, director for cyber intelligence and analysis at Darktrace, told Mashable the timing of the attack also indicated it may have been Mirai.

"[Dyn] have not said whether it was Mirai or not, but I feel like timing-wise though you had the largest botnet recorded in history two weeks ago, a week later the source code gets released and then you have another massive one that takes out major websites," he said.

"They wrote a small piece of code, deployed it and now all these internet of things devices — which most people just set up and forget about — are actively participating in a DDoS attack. So there are strong indicators that this is probably the same type of attack. The main reason being is the group that did that attack released the source code last week," Fier said.

Fier also noted it is very hard to attribute such attacks to a particular location or cyber gang without the group claiming the attack themselves. This is due to the fact they are using millions of devices all across the world.

"Now other cyber gangs can use that source code. It is not just held with one gang, it is open to the entire world," Fier said. "Anybody, Anonymous or the other hacktivist groups have it at their fingertips."

Great, so how do I save my device?

Consumers need to be aware that their devices could be used for these massive attacks. Fier suggested keeping the devices updated, changing your password from your default password and then updating it regularly to help keep your device out of a DDoS attack.

"The scary thing with it is, a lot of these devices we just set up and forget," he explained. "We don't really pay much attention to and a lot of these devices don't have any virus software so it is going to be very difficult to clean up and detect that these devices are even part of the botnet."

The most terrifying part is that this is just the beginning of these types of attacks. Not only is the source code online, but Fier explained, "the more things that are connected to the internet make the attack footprint bigger and bigger."

UPDATE: Oct. 22, 2016, 5:56 p.m. EDT In a blog post by Dyn, the company confirmed the attack involved tens of millions of IP addresses. This article has been updated to reflect millions of devices were used, rather than billions. Dyn also confirmed in its statement that there were multiple attacks.

CORRECTION: The original story stated your Amazon Echo device could have been used in the attack. This is incorrect. Keep an eye on your router, though.

Mashable
is a global, multi-platform media and entertainment company. Powered by its own proprietary technology, Mashable is the go-to source for tech, digital culture and entertainment content for its dedicated and influential audience around the globe.